-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cap rancher-external-ip-webhook to <=1.21 #33893
Comments
The new admission controller blocks the use of external IPs in Service resources entirely: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips The external-ip-webhook app enables an allowlist for certain IPs or CIDRs: https://github.com/rancher/externalip-webhook/blob/3252e5d20e5ab3cd9f1f21b5cff797ba617fce67/chart/questions.yaml#L3-L5 So the new admission controller is not a drop-in replacement for the webhook, and some users may still need the flexibility that the webhook provides on >1.21, so I do not think we should add this cap. I can't find any documentation on using rancher-externalip-webhook in rancher.com/docs except for this blog post but if it exists we should convert it to recommend enabling the feature gate and only using the webhook if they need that flexibility. |
Summary from security meeting: we'll go ahead with this cap for now and revisit supporting the webhook if it becomes apparent that users need the webhook's flexibility. |
Moving to-test column as it requires k8s 1.22 in rancher for validating. From @cmurphy to validate:
If we try to install external-ip-webhook chart on k8s 1.22 downstream cluster , installation should not go through |
Verified on v2.6-head 4375161
Upgrade:
|
The below was shipped in 1.21 and should fix CVE-2020-8554, which means we could cap rancher-external-ip-webhook at <=1.21. This will give users 1 full cycle to transition.
First we need to ensure the upstream fix is a replacement for this chart.
The text was updated successfully, but these errors were encountered: